exim: dropping spam based on score threshold?

**jnagro** · 12-05-2006 02:12 PM

I've made exim servers deny spam based on a score threshold, ie if the score is above X dont accept the message (deny) or :fail: it. I've poked around the cpanel config and its perl functions but i'm having a hard time adding it. Does anyone know where/how i can do that? I'm assuming ClamAV also won't accept malware? (deny? or :fail:?)

**jnagro** · 12-05-2006 04:37 PM

i added this to the 'check_message' acl:

Code:

deny message = Spam score too high ($spam_score)
    spam = mailnull:true/defer_ok
    condition = ${if >{$spam_score_int}{150}{1}{0}}

which will deny any mail with a spam score of 15 or higher (fyi: exim will do something like score * 10 = 150, hence the 150)

**mickalo** · 12-05-2006 04:59 PM

Originally Posted by jnagro

i added this to the 'check_message' acl:

Code:

deny message = Spam score too high ($spam_score)
    spam = mailnull:true/defer_ok
    condition = ${if >{$spam_score_int}{150}{1}{0}}

which will deny any mail with a spam score of 15 or higher (fyi: exim will do something like score * 10 = 150, hence the 150)

very handy

Added it through the Exim Editor and watched the log file. seems to work quiet nicely:

Code:

tail -f /var/log/exim_rejectlog | grep "Spam score too high"

2006-12-05 15:45:56 1Gri6o-0006Os-Qa H=(dsl85-98-16622.ttnet.net.tr) [85.98.64.238] F=<unfulfilledtambourines@abwc.com> rejected after DATA: Spam score too high (17.0)
2006-12-05 15:47:12 1Gri7z-0006Rg-I5 H=foreaud.classcom.pl [195.150.77.145] F=<sadvoipreadinessuni@voipreadiness.com> rejected after DATA: Spam score too high (17.8)
2006-12-05 15:47:36 1Gri8M-0006T5-03 H=foreaud.classcom.pl [195.150.77.145] F=<sadxinergistixuni@xinergistix.com> rejected after DATA: Spam score too high (22.2)

Thx's
Mickalo

**alan-tor** · 12-05-2006 05:35 PM

Does :fail: work when specified in cPanel's "E-mail Filtering"?

I've created mail filters in cPanel's "E-mail Filtering", called "Filter Maintenance" once you're on that page. I set spam above a certain score to "Discard", but I wonder if :fail: would work there.

Actually, I'm wondering how this can work or how the original poster's idea can work. Presumably mail must first be received at the server in order to be scanned by SpamAssassin. So how can it be set to :fail: when it has already been received?

**nxds** · 12-06-2006 07:47 AM

Originally Posted by jnagro

i added this to the 'check_message' acl:

Code:

deny message = Spam score too high ($spam_score)
    spam = mailnull:true/defer_ok
    condition = ${if >{$spam_score_int}{150}{1}{0}}

which will deny any mail with a spam score of 15 or higher (fyi: exim will do something like score * 10 = 150, hence the 150)

That rocks my world.

Thx

**serversphere** · 12-06-2006 08:25 AM

Be sure you add this through the Exim configuration editor in WHM. Adding this by editing the exim.conf file directly will cause cPanel to overwrite it the next time it updates.

**kdarray** · 12-09-2006 01:24 PM

thanks jnagro for this short and sweet tip

**alwaysweb** · 12-11-2006 06:48 AM

Simple little addin to exim config, thanks!

**alan-tor** · 12-14-2006 03:48 PM

Can someone please explain how this works?

Presumably mail must first be received at the server in order to be scanned by SpamAssassin. So how can it be set to :fail: when it has already been received?

**nxds** · 12-15-2006 05:53 AM

Originally Posted by alanvox

Can someone please explain how this works?

Presumably mail must first be received at the server in order to be scanned by SpamAssassin. So how can it be set to :fail: when it has already been received?

The SMTP conversation isn't completed until the DATA verb is OK'd by the receiving server. In this test, the SA score is calculated after receiving the DATA section, and if too high the message is rejected, if not it is accepted into the queue for delivery. Rejecting the mail during any part of the SMTP conversation is a :fail: action and the sending server is responsible for any NDR, not yours.

**alan-tor** · 12-15-2006 12:43 PM

Since SpamAssassin will scan the message and the message will be :fail:ed before being actually received, is it then possible to do this also for cPanel mail forwarders? I'd love to be able to have SpamAssassin work on mail forwarders rather than just on mail accounts.

**delsurf** · 12-15-2006 02:16 PM

Nice add!! I just installed it and it seems to be working great... I lowered the threshold to 80 though. Hopefully someone can find a way to do this for emails with forwarders.

Thanks again for the script config!

**sds1az** · 12-15-2006 06:38 PM

Yes indeed, very impressive, I put this in last night and checked my logs this morning and was stunned at how effective this is working. I highly recommend everyone to add this to their exim config, thanks for the tip jnagro!

**simplybe** · 12-15-2006 06:59 PM

Hi,
Trying it now

Thanks

**alan-tor** · 12-17-2006 10:35 PM

Has anyone discovered whether this also works for cPanel mail forwarders?

Since SpamAssassin will scan the message and the message will be :fail:ed before being actually received, then it would seem that it should work for mail forwarders.

I'd love to be able to have SpamAssassin work on mail forwarders as well as on mail accounts.

LinkBack

Thread Tools

exim: dropping spam based on score threshold?

figured it out...

thanks

Filed with Developers Exclude files from backup based on a defined maximum size threshold [Case 50767]

HOWTO: Show the spam score in the subject line of spam taged messages

X-Spam-Status: No, score=

X-Spam-Status: Yes, score=0.0

SPAMD dropping spam and not sending